sybilattack
TRANSCRIPT
-
8/6/2019 sybilattack
1/22
CIS 700/003: Distributed Systemsmeet oc a etwor s
Sybil attack
March 23, 2010
2010 Andreas Haeberlen1
University of Pennsylvania
-
8/6/2019 sybilattack
2/22
ere are we
Building MAD systems
au s an s e av or
Internet crime Spoofing Sybil attack Today
en a o erv ce
Phishing
Novel opportunities
2010 Andreas Haeberlen
Experience2
University of Pennsylvania
-
8/6/2019 sybilattack
3/22
SybilGuard: Defending Against Sybilttac s v a oc a etwor s
Haifeng Yu Michael Kaminsky Phillip B. Gibbons Abraham Flaxman
SIGCOMM 2006
2010 Andreas Haeberlen3
University of Pennsylvania
-
8/6/2019 sybilattack
4/22
scuss on po n s
How good are their guarantees?
r y u w
Overhead?
va ua on conv nc ng How reliable is their estimation of N?
2010 Andreas Haeberlen4
University of Pennsylvania
-
8/6/2019 sybilattack
5/22
es o s c ass Other defenses against Sybil attacks
SybilLimit
2010 Andreas Haeberlen5
University of Pennsylvania
-
8/6/2019 sybilattack
6/22
o y a ac s occur n prac ce
Why is it called a 'Sybil' attack? Based on a 1973 book by F. R. Schreiber about a patient
ca e Sy i Dorsett pseu onym
'Sybil' was suffering from dissociative identity disorder; shemanifested 16 different ersonalities
Do S bil attacks occur in ractice? Yes. For example, they have been observed in the Maze
P2P system (Lian et al., ICDCS 2007) Demonstrated to be surprisingly easy in practice, e.g., in
the widely-used eMule system (Steiner et al., CCR 2007)
2010 Andreas Haeberlen6
University of Pennsylvania
-
8/6/2019 sybilattack
7/22
er e enses aga ns y a ac s ypical approach is to rely on the fact that
the attacker is limited in some resource R R can be many different things. Examples:
Storage: Give each node a large amount of uncompressible
data and randomly verify small excerpts. Bandwidth: Send lots of traffic and require the node to
res ond within a certain time interval.
Computation:Ask the node to solve a difficult computational
puzzle whose solution is easy to check (e.g., invert hash) Physical locations: Treat all nodes within some distance as a
single node If attacker has nodes in a few locations, he can fabricate new locations!
2010 Andreas Haeberlen
IP addresses: Require node to respond to probe packets
7University of Pennsylvania
-
8/6/2019 sybilattack
8/22
er e enses aga ns y a ac s
Real-world identities: Certify mapping to passport
identity
Human attention: To get a new identity, require solving a
as a compu ers canno so ve e.g., Can be defeated by hiring low-wage workers to solve CAPTCHAs
Physical machines: Bind identities to a TPM, etc.
Challenge: Assume the attacker has rAunits of the resource, and the
weakest legitimate user has rM
2010 Andreas Haeberlen
,the attacker can create rA/rM identities8
University of Pennsylvania
-
8/6/2019 sybilattack
9/22
SybilLimit: A Near-Optimal Social Networke ense aga nst y ttac s
Haifeng Yu Michael Kaminsky Phillip B. Gibbons Feng Xiao
Oakland 2008
2010 Andreas Haeberlen9
University of Pennsylvania
-
8/6/2019 sybilattack
10/22
o va on y uar s as severa ma or m a ons
number of Sybil nodes to be accepted -
Problem #2: No guarantees if the number of
Example: In a million-node network, SybilGuard can't bound
the number of sybils at all if there are >15,000 attack edges
Problem #3: Assumes fast-mixing property Has never been validated in the real world!
2010 Andreas Haeberlen
Is not obvious at all, given the presence of communities
10University of Pennsylvania
-
8/6/2019 sybilattack
11/22
on r u ons o y m
uaran ees are mprove rama ca y Within log n of the optimum for this type of system
2010 Andreas Haeberlen
Forma proo s or eac property11
University of Pennsylvania
-
8/6/2019 sybilattack
12/22
ow o ey o s Idea #1: Use many random routes, but
shorter ones Idea #2: Intersect edges, not nodes
Idea #4: Use a more robust technique to
2010 Andreas Haeberlen12
University of Pennsylvania
-
8/6/2019 sybilattack
13/22
eg s er ng a s
Idea #1: Intersect edges, not nodes
(square root of the number of edges between honest nodes)
For each route, remember only the last edge (the 'tail') Verifier rejects suspect if their sets of routes do not share
any tails
2010 Andreas Haeberlen
Effect #2: Reduces the number of slots available to attacker13
University of Pennsylvania
-
8/6/2019 sybilattack
14/22
a ance con on
Idea #2: Limit how often each tail may be
Because there are so many routes now (SybilGuard had just
But we can expect intersections to be distributed randomly,so we can enforce a limit on how often each tail can be used
2010 Andreas Haeberlen
Result: Limits #sybils accepted through 'escaping' tails
14University of Pennsylvania
-
8/6/2019 sybilattack
15/22
s ma ng e num er o rou es Idea #3: Use a more robust technique to
estimate the system parameter Recall that SybilGuard needs to estimate the length of the
walk, but this fails if there are too many attack edges
Uses a novel technique that mixes real suspects with somerandom other suspects that are known to be mostly honest
Guarantees that parameter will never be overestimated,
regardless of the attacker's behavior
2010 Andreas Haeberlen15
University of Pennsylvania
-
8/6/2019 sybilattack
16/22
ower oun SybilLimit bounds #sybils accepted per attack
edge to O(log n)
Yes, but only by at most log n
An s stem that relies on the same ro ert as S bilLimit(change in mixing time) would accept at least (1) sybils
per attack edge
2010 Andreas Haeberlen16
University of Pennsylvania
-
8/6/2019 sybilattack
17/22
x ng me Provable guarantees of SybilLimit rely on the
assumption that social network has small(O(log n)) mixing time
Question: Is this true of real social networks?, , ,
Problem: Cannot show directly that mixing time is O(log n) O(log n) is asymptotic behavior
But it is sufficient to show that small values of w aresufficient for SybilLimit to work well
2010 Andreas Haeberlen17
University of Pennsylvania
-
8/6/2019 sybilattack
18/22
x ng me
Result: Small w values are sufficient for large-
Evidence (though not proof) that the small-mixing-timeassumption holds for real social networks
2010 Andreas Haeberlen18
University of Pennsylvania
-
8/6/2019 sybilattack
19/22
ow many sy s are accep e now
2010 Andreas Haeberlen19
University of Pennsylvania
-
8/6/2019 sybilattack
20/22
a e-away po n s Sybil attacks are easy, dangerous, and real
Observed in deployed P2P systems (e.g., Maze) Not i icu t to o
Can subvert BFT, voting systems, DHT routing, ...
Typically assume the attacker is limited in some resource,
Danger of excluding resource-limited but legitimate users
Attacker assumed to be limited in #trust relationships;
results in small min-cut between sybils and honest users
2010 Andreas Haeberlen
Implementation far from trivial (see SybilGuard/SybilLimit)
20University of Pennsylvania
-
8/6/2019 sybilattack
21/22
ere are we
Building MAD systems
au s an s e av or
Internet crime
Spoofing Sybil attack
en a o erv ce
Phishing
ex me
Novel opportunities
2010 Andreas Haeberlen
Experience21
University of Pennsylvania
-
8/6/2019 sybilattack
22/22
ay une
Next week you will learn:
How to defend against Denial of Service attacks
2010 Andreas Haeberlen
using a Denial of Service attack22
University of Pennsylvania